The method java.lang.Object.equals(), by default, is unable to compare composite objects such as cryptographic keys. Most Key classes fail to provide an equals() implementation that overrides Object.equals(). In such cases, the components of the composite object must be compared individually to ensure correctness.
Noncompliant Code Example
This noncompliant code example compares two keys using the equals() method. The keys may compare unequal even when they represent the same value.
| Code Block |
|---|
|
private static boolean keysEqual(Key key1, Key key2) {
if (key1.equals(key2)) {
return true;
}
return false;
}
|
Compliant Solution
This compliant solution uses the equals() method as a first test and then compares the encoded version of the keys to facilitate provider-independent behavior. In this example, we check It checks whether an RSAPrivateKey and an RSAPrivateCrtKey represent equivalent private keys [Sun 2006Oracle 2011b].
| Code Block |
|---|
|
private static boolean keysEqual(Key key1, Key key2) {
if (key1.equals(key2)) {
return true;
}
if (Arrays.equals(key1.getEncoded(), key2.getEncoded())) {
return true;
}
// More code for different types of keys here.
// For example, the following code can check whether
// an RSAPrivateKey and an RSAPrivateCrtKey are equal:
if ((key1 instanceof RSAPrivateKey) &&
(key2 instanceof RSAPrivateKey)) {
if ((((RSAKey) key1).getModulus().equals(((RSAKey) key2).getModulus()))
&& (((RSAPrivateKey) key1).getPrivateExponent().equals(
((RSAPrivateKey) key2).getPrivateExponent()))) {
return true;
}
}
return false;
}
|
Automated Detection
...
| Tool | Version | Checker | Description |
|---|
| The Checker Framework | | Include Page |
|---|
| The Checker Framework_V |
|---|
| The Checker Framework_V |
|---|
|
| Interning Checker | Errors in equality testing and interning (see Chapter 5) |
Bibliography
MSC03-J. Never hardcode sensitive information 49. Miscellaneous (MSC) MSC05-J. Store passwords using a hash function
...
Image Added Image Added Image Added
